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Insecure Apps & APIs 
are a Problem 


Your business depends on web 
applications 


Any app or API can be a foothold into your 
organization 


Developers are not incentivized for security 


Cloud-based apps are easy for developers 
to deploy 


Web Applications are 
Being Targeted 


> Most common data breach pattern * 


> Top hacking vector * 


U.S. Postal Service (API) .. 2018 
Facebook (API) 

Google+ (API) 

MyFitnessPal (API?) 

Equifax 


* Source: 2018 Verizon DBIR 


Apps & APIs are 
Everywhere 


Public-Facing 
Web Apps 


Internal Web Apps 


Apps in Public 
Clouds 


[el 


REST APIs 


New Apps 
under Development 
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Web Application Scanning 


Qualys Web Application Scanning (WAS) 


A leading dynamic application security o 
testing (DAST) tool E 


Dashboard Web Applications Scans  Delections Reports Configuration KnowledgeBase 


Identifies app-layer vulnerabilities — o 
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Web Application added from scan consolidated data from VM 


© Qualys. 


Scanning with WAS in DevOps 


Staging Test / GA Dev 
Environment Environment Environment 
Developers 
Scan 


Source 


API noe: 
Code 8 Ee eei Engine 
Repository ———— 


Qualys Scanner 
Appliance 
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DEMO: Oualys WAS Jenkins Plugin v2 


8 Jenkins 


Jenkins > Acme Application 


4 Back 

JG Snippet Generator 

© Step Reference 

© Global Variables Reference 
© Online Documentation 


®@ Intelli) IDEA GDSL 


D ^ admin | log out 


Pipeline Syntax 


Overview 


This Snippet Generator will help you leam the Pipeline Script code which can be used to define various steps. Pick a step you are 
interested in from the list, configure it, click Generate Pipeline Script, and you will see a Pipeline Script statement that would call the 
step with that configuration. You may copy and paste the whole statement into your script, or pick up just the options you care about 
(Most parameters are optional and can be omitted in your script, leaving them at default values.) 


Steps 
Sample Step 


qualysWASScan: Qualys WAS Plugin for Jenkins 
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API Login 


Provide details for accessing the Qualys Container Security API 


API Server URL: https://qualysapi.qualys.com 


Example: https /gualysapi quelys.com. (Refer WAS API User Guide for more information) 
API Username: quays aa12 


API Password: 


D Use Proxy Settings 


Connection test successful! 


Manual Testing Complements WAS 


Dynamic application scanning is one piece of the AppSec puzzle 
Manual penetration testing important for your business-critical apps 


Qualys WAS offers: 


Bugcrowd integration 
Burp Suite integration 
Partnerships with consulting companies 
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Qualys WAS Burp Extension 


E » © 


Burp Suite 


Web Application Scanning 


A quick, intuitive way to send Burp-discovered issues into WAS 
Provides centralized viewing/reporting of WAS detections + Burp issues 


Available today in Burp's BApp Store 
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W Burp Suite Professional v2.0.11beta - Temporary Project - licensed to Qualys [41 user license] 


Burp Project Intruder Repeater Window Help 
Dashboard | Target | Proxy | Intruder | Repeater | Sequencer | Decoder | Comparer | Extender | Project options | User options | Qualys WAS | Attack Surface Detector 


BApp Store 
The BApp Store contains Burp extensions that have been written by users of Burp Suite, to extend Burp's capabilities. 


Name 


r Qualys WAS 
PeopleSoft Token Extractor ee 11 Jan 2018 


PHP Object Injection Check Y 01 Jun 2018 The Qualys WAS Burp extension provides a way to easily push Burp scanner findings to the Web 
Postman Integration 18 Sep 2018 Application Scanning (WAS) module within the Qualys Cloud Platform. As a Qualys WAS customer, you 
Protobuf Decoder wy 20 Apr 2017 can then view and report Burp issues alongside WAS findings for a more complete picture of your web 
Proxy Action Rules 12 Jan 2018 application's security posture. 


Proxy Auto Config 7 E 24 Oct 2018 To learn more about Qualys WAS, its integration with Burp, and the additional security and compliance 
PsychoPATH 28 Jun 2018 solutions available in the Qualys Cloud Platform, please visit https //qualys com/was-burp. 

on Scripter f 28 Sep 2017 
Python Script : Requirements: 


Random IP Address Header 01 Jul 2014 © Burp Suite Professional 1.7 or later 
Reflected File Download C... 24 Jan 2017 
Reflected Parameters 1 10Nov2014 Pro extension * Qualys WAS subscription, including API 
Reissue Request Scripter z: 23 Dec 2016 
Replicator 15 Feb 2018 
Report To Elastic Search 10 May 2017 Straightforward setup and usage 

Request Highlighter — 23 Jul 2018 | 

Request Minimizer ^ 25 Jun 2018 Supports all Qualys shared platforms as well as private cloud platforms 


. 
. 

Request Randomizer 7 24 Jan 2017 € Selected Burp scanner finding(s) exported to Qualys WAS via context menu 
. 
. 
. 


Features: 


Request Timer ír 08 Nov 2017 
Response Clusterer 06 Feb 2017 
Retire.js 29 Jun 2018 
Reverse Proxy Detector wy - 13 Feb 2017 
Same Origin Method Execu... 7 26 Jan 2017 
SAML Editor wh 01 Jul 2014 Usage: 
SAML Encoder / Decoder *í 01 Jul 2014 
SAML Raider 04 Nov 2016 . Addthe extension to your instance of Burp Suite Professional by installing directly from the 
SAMLReQuest À 06 Feb 2017 "BApp Store” tab within Burp or by loading the jar file from the Extensions tab. 

Scan Check Builder D 30 Oct 2018 
Scan manual insertion point 24 May 2017 


Refresh list | | Manual instali. | 


Upstream proxy server settings in Burp are honored automatically 
Option to purge or close existing Burp issues in WAS 


Written in Java 


. In the "Qualys WAS" tab, select the appropriate Qualys platform for your subscription and enter 
your Qualys username & password. 


WAS Roadmap 


Q3 2019 * 2019 
April 2019 Postman Collections 
Cancel slice in multi-scan User-defined signatures 
Expanded Finding API Enhanced crawling 
May-June 2019 Q4 2019 * 
Full HTTP request New dashboard 
Info Leakage via header Bamboo plugin 


TLS 1.5 : 
Qualys API Security 


2020 


* Tentative 
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Qualys Web Application Firewall (WAF) 


Virtual, inline reverse-proxy 
Inspects HTTP/S traffic, including Web Services and REST APIs 
Protect against numerous types of attacks including OWASP Top 10 
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Supported 
Dp | a tf O r m S Select Virtual Appliance Image 


Choose the virtualization platform you want to use to run your WAF appliance on. 


Platform Details 


© ig VMware Standard VMware virtualization platform 
oS H : —À 
O ag yper-V Microsoft Hyper-V 5.1 virtualization platform 
Ims 
D e p | Oy a nyw h ere O B f Amazon EC2 Amazon EC2-Classic, Amazon EC2-VPC 
© FAN Microsoft Azure Microsoft Azure platform 
Google Cloud platform 


Docker platform 


© Qualys. 


Built-in Security Policies 


Out-of-the-box rulesets written by Oualys security researchers 


Web Application Edit: test Turn help tips 
Edit Mode Configure policies for your web application 
Asset Details Security Policy 
Applicati combination of protocol profiles and security templates that protect the applicatior 
pplication 
Action* Block v 
Policy* 
WAF Clusters [Magento 2.x.x ay Create 
Comments i Drupal 
Edit | Create 
Action log JBoss 
{ 
Joomla! d b 
t rule: 
Magento 1.x pra 


Magento 1.x.x 


Y 


Magento 2.x 


Magento 2.x.x 


Cancel 
cm iam 


Add All | 


: On| Off Launchhelp XX 


(*) REQUIRED FIELDS] 
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User-Defined Custom Rules 


Adjust your Security policy manually 


Rule Creation Tum help tips: On | Of] Rule Creatio Tum help tip: Off Launchh 


Step 2 of 4 Rule conditions Step 3 of 4 Rule actions 
1 Rule Details Conditions 1 Rule Details w^ Actions OC TIUS, 
" Bi i v t J A € ns m rigge le, sc € Here y lefine a 1s to trigge al Jitions r in be locking or a granting action ; but also can be ked with a k 
o9 Conditions - > ranged in fou t se 'equest ransact t e assist y leaming 2 Conditions - tior 
y the t ble k : 
3 Actions eo Actions - Action 
Allow 
Review And Confirm - 4 Review And Confirm Custom Response* Block 4X w. Edit Create 
request.query-string.length 
i ‘cen Syntax Help Insert header 
request.query-string.parameter Build a condition based on query-string's parameter vi Log* Rewrite header 
2 reque request.query-string.parameter.count Foret request query-string.parameter.value OPERATOR Strip header 
"value". 
i Redirect 
a request.query-string.parameter.name (erc | 
Block with custom page 


request.query-string.parameter.name.length Match request parameter value foo 


equest .query-string.parameter . value 
request.query-string.parameter.value : Fes 5 


request.query-string.parameter.value.length 


request.url 


Load-Balancing and SSL-Offloading 


To ease integration with the network environment 


Server Pool Creation | Off Launchhelp x i MKA 2nd App ee 


i Edit Mode Configure application and network settings 
Step 2 of 3 Server Pool configuration 


Asset Details SSL Certificates 
1 Server Pool Details Application Servers (*) REQUIRED FIELDS 


Application 
Certificate* 


o Configuration - 


Security Jonas SSL MM Edi! Create 


The certificate expired on 13 Feb 2018 
3 Review And Confirm WAF Clusters The certificate is self signed 


The web application's URL (https://demo06,s02.sjc01.qualys.com/) didn't match the certificate's common or alt 
names 


Protocol HTTPS CSI 


Action | 
z SSL/TLS Protocol 


TLS 1.2 O ssL v3 
Servers 


Cipher suite security level 


Strong O Unsafe 
http:// Type address + Enter 


Cipher Suite 
Remove All Add ciphers: Search... Add All | Remove All 


Remove 


Remove ECDHE-RSA-AES256-SHA384 
ECDHE-RSA-AES256-GCM-SHA384 
Load-balancing ECDHE-ECDSA-AES256-SHA384 


roundrobin ECDHE-ECDSA-AES256-GCM-SHA384 Remove 


Actionable Security Data 


Dashboard - All Web Applications 


All Web Applications YY Last 30 days 


Viewing 
Wed 13 Mar 2019 - Fri 12 Apr 2019 
2.05M 659K 631K 


Activity Timeline 


Web Application Statistics 


Hits Blocked Events Client Bandwidth 
10.9M (TK 3.34M [S 1468 


Event Summary Top Events Traffic Origins 


150K 
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WAS / WAF Integration: ScanTrust 


ScanTrust : Challenge your WAF protection with WAS 
Assess both the application and the policy that protects it 


1. Reguest inspected and forwarded to backend 
server 


2. WAF annotates HTTP response 
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WAS / WAF Integration: Virtual Patc 


Virtual Patch : One-click mitigation tool 
Push a custom rule to WAF to block exploit on known vulnerability 


i} You are about to install a virtual patch 


We'll automatically add a virtual patch rule to your WAF to block exploitation of the selected vulnerability on your web application. You can 
easily remove the virtual patch (and rule) at any time either here or from the WAF management interface. 


Patch Seve 


Patch Details View Detection 


When request.header.content-type MATCH "*.*\%.*\{.*multipart/form-data$" li ue ud 


1 (eques path) MATCH. ^[a-zA-20-5 V^. Ve... ETET 
2 [request header contenttype! MATCH .*\%.*\{.*multipart... 

3 (request header) Content-Type DETECT 150173 

4 request query-string parameter p MATCH ^.*admin.*$ CELES] 
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Working with WAF as a Contai 


b wu 
cl Se — — nl m. golem: 


Virtual Firewall Container (OVFC) 


Lightweight sensor (350 MB) 
Integrates with Docker Service 


Dynamic pool automation - Scalability 


Orchestration via Qualys API 
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Deploy as a Side-Car Proxy 


Container 
Container 


Container 


Container 


Container 
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Container 
Container 


Container 


Container 


Container 


9 


Container 
Container 


Container 


Container 


Container 


9 


Docker Engine 


Docker Engine 


Docker Engine 


Host 


Host 


Host 


kubernetes 


(a 


E 
M E S O S OPENSHIFT 


Amazon ECS 
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Or Deploy on PaaS via Kubernetes 


©) Google Cloud Platform 


Container Engine 


Browser 
Registration & 


Configuration 


© 


Infosec/SOC 
Monitor 
———— 
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Thank You 


Dave Ferguson 
dferguson@qualys.com 


